Akamai recently released its latest State of the Internet (SOTI) report, focusing on the financial sector. This SOTI edition, titled “Financial Services Attack Economy,” highlights the vast array of cyberattacks targeted at the financial systems ecosystem over the past 18 months.
In this DevOps Chat, Martin McKeay, a cybersecurity veteran, joins us to discuss highlights from the report, including readily available lists of compromised user IDs and passwords, stuffing attacks, low-cost or free all-in-one (AIO) attack tools and the characteristics of phishing attacks against enterprises versus financial institutions. There’s a lot more, too.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation.
Mitch Ashley: Hi, everyone, this is Mitch Ashley with DevOps.com, and you’re listening to another DevOps Chat podcast. Today, I’m joined by an old friend and colleague, Martin McKeay, editorial director at Akamai. Our topic today is Akamai’s State of the Internet report, focusing on financial services’ attack economy. So, it’s super interesting, especially given some things that have happened recently.
Martin, welcome to DevOps Chat.
Martin McKeay: Well, thank you for having me, and it’s good to talk to you again, Mitch.
Ashley: It has been a while since we’ve been on a podcast together. [Laughter] So, it feels good, it feels like an old sweater, putting it back on.
McKeay: Yeah, you and I are not a stranger to this mode of communication or to podcasts in general. So, yeah, we go back about—what, 12 years?
Ashley: Yeah, yeah, I think about that. I think, you know, I’ve been on your podcast, you’ve been on mine and Alan’s and different ones, so yeah, I think it’s been about 12 years, so, good to be back in the saddle again.
Well, for those folks who don’t know you, why don’t you introduce yourself a little bit, tell us about you, what you do at Akamai and just briefly—hopefully, everybody knows Akamai, but give us a sense or two of what Akamai does.
McKeay: So, I’m Akamai’s Editorial Director. I’ve got like 20 years of background in security, and somehow, that got me to being a writer and editor of security reporting, of security tools. And I get to help direct where some of our reporting goes on the huge data sets that Akamai has. If people aren’t aware of it, Akamai is one of the biggest content delivery networks and security networks in the world. Somewhere around, I think our average right now is about 50 terabytes a second of the world’s Internet traffic flows across our network.
So, we’ve got a huge amount of data that we’re pooling from, and this report highlights how we’re trying to look across multiple data sets instead of just looking at one type of data or one type of attack and draw conclusions from that.
Ashley: You know, there is some comfort. You obviously see a vast amount of information traffic flowing across the content distribution network, so you’re in a great position to see kinda what’s happening and see the trends, see the new things that are occurring.
McKeay: Well, that’s exactly right. And part of why we’re doing the SOTI, the State of the Internet security reports, part of why we’re doing it in this way is, it’s important to pull back the lens and look at attacks against organizations as an ecosystem. The fact that we’re looking at credential stuffing for financial services is important, but how do things like web application attacks, how does DDoS fit into that? How does phishing fit into that?
That was a lot of what’s important to us. I mean, the DNS information that is out there that we can tie into that was really important. I mean, on a case at DNS, we found that while financial services aren’t always the biggest number of attacks straight up, the impersonation attempts of the financial services and the DNS information financial services use accounted for nearly 50 percent of that particular data set.
McKeay: So, banks, credit unions, investment firms—they’re really, really under attack on a daily basis, and it’s not gonna stop anytime soon.
Ashley: Well, it’s like the old joke—why do robbers rob banks? Because that’s where the money is, right? [Laughter] Same kinda thing on the Internet.
McKeay: Yeah. And I mean, one of the things that we talk about in this report is that Steve Ragan, one of my writers, actually, while we were starting to write the report, his account got attacked, he became part of a localized attempt to do credential abuse against his bank. And, over the course of a weekend, his account got locked out two or three times.
So, this is not just an ephemeral something that’s way out there that nobody actually has to deal with. This is something that’s hitting people on a personal level and actually having impact on day to day lives.
Ashley: It’s really interesting that happened while you were doing this report, because in the report, it actually has a one page section on Steve and what he experienced.
So, let’s step back for a minute. You’re focusing, obviously, on the financial services industry because that’s where the money is, that’s where the attackers go. You mentioned, also, gaming having a large number of attacks, actually, in terms of total quantity, right? Gaming sites are a big target of this, but in terms of what most of the attacks are actually going after is financial institutions. Do I have that right?
McKeay: You do, but remember, as I said, this is an ecosystem. So, gaming attacks and credential abuse against gaming is tied to financial services attacks.
Ashley: Mm-hmm. Okay.
McKeay: When you look back at it, you’ve got things like, Have I Been Pwned? where Troy Hunt is keeping a massive database of all of the credentials that have been stolen over the last, I guess, almost a decade now. And those were used as sort of a starting point in some of these attacks as, somebody pulls up a tool that they can just buy off the Internet, they feed it this credential list. They then go attack a site or they use it to do a bunch of credential stuffing attacks against a site.
It doesn’t matter where, they’re just going out there to try and test out this list to see what’s happening. When they do that, they get, some of these credentials turn out to be good. Even if you’re going against a gaming site, the people that are reusing their passwords, their usernames, those are then getting tested against banks, against other things. We see the phishing. A lot of times the phishing attempts are aimed at trying to add valid usernames and passwords to the list that people are using.
So, it really is all tied together, and it’s all tied together to try and get money.
Ashley: You know, your point about this being an ecosystem is a good one, actually, and actually, you refer to it in the report, also, as an economy, because there are people who take the data breaches, assemble these collections of lists of user ID and passwords, and that’s where these stuffing attacks come from, right, where they’re doing combinations of user ID and passwords, automated attacks, repeated and repeated until they get one that goes in, which, of course, speaks to why you don’t want to reuse your passwords.
McKeay: Yeah. I mean, people ask what should the user do, and quite frankly, using password vaults is the single biggest thing a user can do of having a random password that they cut and paste from one password or last pass or something, or even, quite frankly, using a small notepad and keeping semi-random passwords in that, rather than just reusing the same passwords again and again so you can remember them.
Ashley: Mm-hmm. That’s great advice for us as individuals. What are the learnings in this report that apply to the enterprise medium sized businesses? What are there takeaways?
McKeay: It’s kinda hard to tell banks what they should do, for a number of reasons, but the biggest one is because they are all individual organizations, just like we are all individual people.
I think that banks should be starting with educating their users. We mentioned gaming, and one of the things that we talked about last month in our other report was that gaming companies are doing a lot to educate younger users about two-factor authentication, about not reusing passwords. Banks need to be doing that same level of education. The problem is, banks have to do that with older customers who are already kinda set in their ways. So, it becomes a little bit harder to teach them. The other thing is—
Ashley: I was just gonna say, younger folks are kind of in this economy, right? They’re in this online ecosystem and so they’re living and eating, breathing it more often.
McKeay: Yeah, and when I say older, I don’t mean 40s, 50s, 60s, 70s. I mean even late 20s, early 30s. People who are using the Internet at those rates, as kids are. Because quite frankly, a lot of the gaming audience is in their 20s and 30s. I mean, I spent three or four hours playing Borderlands 2 yesterday. So, it’s not like us older folks don’t play games, too.
Ashley: [Laughter] We do. I still do, as well. So, thinking about enterprises, banks tend to be on the forefront of cyber security; other enterprises, maybe less so, not quite as sophisticated. Do you think there’s some takeaways for folks that aren’t banks in this information?
McKeay: I think there is, because banks are mostly—think of them almost as a bellwether. I mean, right now, what we’re seeing against some of the gaming companies and some of the other, some of the retail companies may be a bit more edgy and a bit more, I should say, on the edge of what’s possible. But banks are pretty stable, have systems that are pretty well set in their ways, and so, the attackers use that to their advantage.
McKeay: You asked about some of the things that banks and other organizations can do—first of all, it’s just having awareness that there is an issue. I mean, there’s good evidence out there that some companies are not paying as much attention to the log-ins as they should be. You don’t necessarily see everybody paying attention to the numbers of log-ins, unless it starts causing a problem.
The other thing to be careful about is to have businesses start looking at their APIs. I mean, when you have an API, it’s really meant to be computer to computer, or computer to application driven. But we’re starting to suspect that there’s a lot of attacks going against APIs that are just not being noticed because it doesn’t have the same level of coverage, the same level of awareness in the enterprise as the user log-in does. And quite frankly, if you’re not paying enough attention to that, it can go a long period of time without somebody noticing that your API has been compromised.
Ashley: Mm-hmm. It looks like another system and if you don’t know it’s not a legitimate system, things go on.
Ashley: You know, some of the interesting things, too—the timing of this report coming out, you know, Capital One announced their breach in late July, 100,000,000 people, credit scores, balances, all kinds of stuff. This apparently was done by an insider, an employee at the company who broke into some cloud server firewalls in AWS. Is that the kinda thing you’re probably not gonna see in an Akamai report, correct?
McKeay: Well, no, we wouldn’t—first of all, we wouldn’t be allowed to talk about a specific customer unless they agreed, so you’re not gonna see us naming names 90 percent of the time.
McKeay: On the other hand, this is sometimes sort of some of the data we have, because we do have a web application firewall that was built into the network. We are reporting on some of that data. So, there’s some of it that, yeah, we possibly could see at the least granular level. Meaning, we’re going to see attacks that are on the range of hundreds of thousands to millions against a single customer.
McKeay: We’re not necessarily, in my reporting, gonna be able to look at one or two customers and say, “This is what they saw.” But that’s probably not the type of attack a web application firewall is gonna catch in the first place.
Ashley: Yeah, not an insider threat, someone who already has access. And to your point, you know, you’re showing us what the trends are and what the volume—which also, of course, speaks to automation. I thought it was also interesting, of course, you know, we talk about end users, we need to talk about phishing. That, in the enterprise segment of it, the domains that were used were from technology companies when phishing was directed at enterprises. Whereas with consumers, it’s more often financial services domains that are targeted phishing attacks at those end conscious.
McKeay: Yeah, we don’t have a real good, clear understanding of why the high tech shows up so much for the enterprise side, but I suspect part of it is, is because a lot of this is social media companies, it’s other companies around the web that actually have access to our credentials more so than, say, a bank or e-commerce does. These are the types of companies that may have—may be just a jumping off point, basically, is what I’m thinking.
McKeay: You get access into their networks and you have access to other stuff.
Ashley: Interesting. I’m just trying to understand that myself, too, and the report doesn’t go into depth about what the tech domains are, but might it be someone who is impersonating a Dropbox admin contacting you about resetting a password or something or, you know, a technology service like that to a business, to the end users at a company?
McKeay: There’s no lack of who it can be, and we’re seeing that there’s just so much of it—I mean, part of what we talk about in the report is the kits that people can buy. You can go out and, for as little as $20.00, if you’re wanting to attack a company, you can go out and buy one of these all in one botnets where you’re buying the tools to create a botnet, to harvest the credentials, to test the credentials. You can buy a phishing kit that, in a lot of cases, comes pre-programmed, pre-configured to target specific companies.
So, all of this is actually out there. I hate using the term dark web, but it’s probably the best one we can use right now of where people can go with a credit card and very little technical knowledge and get all of the tools they need to start this whole process to go from just having a list of usernames and passwords they found on the Internet to actually compromising accounts and being able to steal people’s game accounts or people’s financial services accounts.
Ashley: You know what’s interesting about the all in one tools that you talked about in the report, things like Sniper, is that they’re tuned, as you said, you can get them tuned to go after certain targets, certain companies. But they also take these lists, it’s kind of a brute force—it’s high volume, high automated, you know, much more probability of success.
McKeay: And one of the things we’ve been discussing ourselves is that this is a way for a criminal to make money—it’s creating these sorts of kits. Not using them, but creating the kits themselves is a way for a criminal to make money that is relatively low risk to them. It may not get them the actual account numbers, it might not get them the actual dollars and pounds from an account, but it will be much safer and it will be much less likely that they’ll be picked up by Europol, by the FBI, by Scotland Yard than the people who are actually doing the attacks themselves.
Ashley: Really good point. I’m curious, I know your report doesn’t kinda go into this, but I was just wondering from your own professional experience, you know, you’ve been in cyber security for a long time—do you think these preconfigured, all in one tools have as much success rate or greater success rate than, say, a hacker doing it themselves rather than getting some free or minimally paid for piece of software to do this? Are they that good?
McKeay: I don’t know if they’re that good. We’re still looking into that a little bit and what they’re aimed at. Because the different tool sets do have different purposes. And quite frankly, it depends. We know some really good people, and some of them we’ll be seeing next week at Black Hat and DEF CON, who can program and write tools to exploit with the best people in the world.
McKeay: You’re not gonna be beating some of those people for phishing, for exploits. On the other hand, if you’re a 15-year-old who just wants to get to somebody’s account online, if you’re a 20-something who doesn’t have a lot of technical skills but has an idea of how they might wanna write a phishing e-mail scam or write something to test accounts on a bank—if you’re that type of person, which most people are, you’re gonna have much better success with one of these tools than you will trying to develop your own, trying to roll your own from the start.
I mean, directly to the DevOps community, this is like somebody trying to do encryption for a product themselves versus trying to learn how to use the encryption tools that are out there. Yeah, some of them might be able to build better encryption than the professionals, than the tried and true methods, but 95 percent of the time, if you try and roll your own encryption, it’s going to be bad.
Ashley: It just makes the bar lower for people to get into this. They don’t have to create all the sophisticated tools, at least at the beginning.
McKeay: Right. And one last thing I kinda want people to know is, a lot of this is coming from the U.S., it’s targeting the U.S. That is not something that’s gonna change any time soon. A lot of the attacks we see are U.S. attackers targeting U.S. companies. But, that being said, we’ve been seeing Russia more often in the top two or three. We’ve been seeing China consistently in the top two or three. There is some—how to put it? There is some consistency in the places this is coming from and targeting, but it’s almost all targeting the U.S., because back to your point from earlier, that’s where the money is.
To be clear, that’s just where the last hop is before it’s hitting Akamai. We don’t know that’s where the attackers are, for certain.
McKeay: But we have reason to suspect that, in most of the cases, it is in the country and the region that they’re in that the attackers are. But there’s gonna be exceptions to that—of people using VPNs, of people using bulletproof hosting providers and things like that.
Ashley: This has been a very well put together program that you’ve been a part of for some time. I’m just curious what your thoughts on what you kinda see down the road of things we might see coming from you in terms of these kinda reports. Do you typically focus on gaming and financial or are there other areas that you’re exploring or considering for the future to report on?
McKeay: I’m always bent on doing better next time, of evolving, of trying something different. Because the story gets boring if I tell the same stories again and again. We’re looking at diving deeper into phishing in the future. We’re looking at some of the carrier data we have. The next report is planned to be on retail, because Christmas is coming. Winter is coming—no, Christmas is coming—
Ashley: [Laughter] Different show.
McKeay: – all too soon—yeah, different show. And I think we want to take a look at what is happening with retail organizations and what’s some of the things that they might be seeing over the Christmas holidays, over the holidays and what that means. Because, again, this is just a microcosm. This is a snapshot on one slice of the threat landscape, but it does have reflections and interactions with the rest of the landscape.
Ashley: You know, one of the really—thank you for that, Martin—one of the really valuable things, I think, that this report could be used for is for a CSO or a security professional in a business is to be able to kinda take a summarized, packaged version of this and present it to their senior executives to say, “These are the kinda things that we’re preventing. This is what your investment is being used for, because these things are happening, and listen, I was just using this to scare you, but it’s real stuff and we’re using intelligence like this for mock and to help guide and direct at least one of the resources to do that for our program.”
McKeay: Yeah, if anybody wants the slides or a slide, let me know, I can provide those.
Ashley: Where can folks contact you or download the report?
McKeay: Akamai.com/soti to download the report, and I think that there is a link there that they can send in, or they can just contact me directly at email@example.com.
Ashley: Great. I’ll make sure we include that in the writeup online. So, everyone, we’ve listened to another DevOps Chat podcast, and I’d like to thank my good friend, Martin McKeay, Editorial Director at Akamai, for joining us. Thank you, Martin.
McKeay: Thank you, Mitch.
Ashley: And of course, we’d like to thank our listeners, you, for joining us today. This is Mitch Ashley with DevOps.com, you’ve listened to another DevOps Chat. Be careful out there.